RE: [load balancing] Alteon AD3 Cookie Issue

From: Andrew Cook <acook [izzat]>
Date: Fri Apr 28 2006 - 18:12:02 EDT

A couple of questions:

What is the expiry on the cookies? Are they only valid for the current
session? Who inserts the cookies? Might it be possible that you're seeing a
subsequent session from a user that has validly changed IP addresses, but
using a stale/ unexpired cookie?

Are the users sitting behind clustered proxies such as carp arrays that may
well be changing the source IP mid-session?

While conceptually you'd like the cookie value and the client IP to match,
what is the real issue here? Is there any suggestion that the SSO sessions
are not the same user, even though the client IP has changed? Do you see
multiple concurrent sessions with differing IP addresses but the same cookie

What is the significance of having the embedded IP address in the cookie? Is
it a functional requirement, or just something to ease troubleshooting?

Not saying it couldn't be an AD3 config/bug, but might the AD3 be doing
exactly what it's supposed to? ;-)



Andrew Cook - Principal Consultant
Smartworx - creating synergies between networks and applications.
65 Hume Street, Crows Nest. NSW. 2065 Australia
t: +612 9016 2880 f: +612 9016 2881 m: +61 419 253 347
email: web:

-----Original Message-----
From: [] On Behalf Of
Sent: Saturday, April 29, 2006 4:16 AM
Subject: [load balancing] Alteon AD3 Cookie Issue

I am reviewing the logs for a website using an Alteon. The Alteon sits in
front of several web servers, load balancing. This is a subscription website
and single sign on is used.

The SSO works most of the time, but occasionally allows a second session
with the same credentials used from a different IP address. The website uses
cookies; the cookies have the IP address included ( encoded as
123456789). When second sessions do occur, the web server log shows the
cookie for the first session ie:

Client A (cookie includes 123456789) Client B
(cookie includes 123456789- NOT 98765432)

This behavior is independent of the web servers; it happens on all of them.
The AD3 will likely be replaced in the very near future.

Has anyone experienced anything like this before or have any idea what
configuration/mis-configuration could cause this?

The Load Balancing Mailing List
MRTG with SLB:
Hosted by:

The Load Balancing Mailing List
MRTG with SLB:
Hosted by:
Received on Fri Apr 28 18:12:14 2006

This archive was generated by hypermail 2.1.8 : Fri Apr 28 2006 - 18:34:05 EDT